Without some changes t the HIPS module, customers will not utilize it.

Discussion in 'ESET NOD32 Antivirus/Smart Security Beta' started by trjam, Jul 1, 2011.

Thread Status:
Not open for further replies.
  1. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    In the last week I have 3 friends who use Eset. They are not experts in the field of security products but they know how to ensure updates are correct and what the basic modules mean.


    I installed the RC for them. Only one had a clue as to what HIPS are and even with that did not understand a thing about creating rules.

    All agreed that unless it is something preset, they would disable it for the future.

    Wilders members are not the ones that Eset makes the crux of their money off of. Just normal joes and sometimes a few savy customers. My fear is, without some customization to this module, the majority of customers are not even going to show it the time of day and in its current state was a total waste of money for being developed.

    Now, I myself want to see the released product with all this corrected because that is when all will see the value of it without having to completely understand it.
     
  2. JeremyW

    JeremyW Registered Member

    Joined:
    Jan 29, 2007
    Posts:
    86
    Location:
    Swindon, Wiltshire, UK
    Yep. I think that's what it's boiling down to. Although I didn't agree at first, the implication of 'RC' is that we're looking at a product that's close to release, when clearly there's no way that it is. I'm a little disheartened - enough to look at the market, but it's also why I'm now back with EAV v4: Lightweight and gives what I term 'essential protection' (+ common sense).
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That's what automatic mode is for - it's indended for users who don't have a clue as how to respond to HIPS prompts. Advanced users can create custom rules or switch to interactive mode.
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Marcos, just what does it do in automatic mode since it says it needs defined rules and there are not any. Are you sure that was not suppose to be, "Disabled" instead of "Automatic."o_O
     
    Last edited: Jul 1, 2011
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Of course, automatic mode will never protect against threats as good as in interactive mode. It's impossible that the program could decide automatically between actions carried out on purpose by the user or legit software and actions carried out by malware and thus make correct decisions. This holds true for any module, be it firewall or HIPS. If the software itself could make 100% correct decisions then yes, automatic mode would protect against every single threat. However, as we all know there's no such a security solution with 100% detection of threats.
    As I have stated elsewhere, HIPS is subject to evolution. There is already a set of pre-defined rules to protect crucial system processes that are invisible to the user. Newer HIPS modules will be released on a regular basis to improve HIPS protection even more for common users. Also HIPS will get more tightly binded to other protection modules over time.
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    That sounds good. As long as there is a future for it, and average users, you get a :thumb: from me.

    Thank you for answering this.
     
  7. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,741
    Location:
    New York City
    I'll be using the automatic setting. It seems to be working as I ran MRU-Blaster and the HIPS correctly warned me that startup settings were modified.
    I would hope the HIPS would block unwarranted attempts to modify startup settings.
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Only if you create a rule for that. In the next build of the HIPS module, notifications about startup settings modifications will be disabled by default as they may be annoying for most users.
     
  9. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,741
    Location:
    New York City
    Marcos, thank you.
     
  10. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    May I know how HIPS rules created for the Automatic Mode?Via virus definition updates?The Automatic mode is so silent.
     
  11. Galaxykiss

    Galaxykiss Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    167
    Location:
    China
    I also want to know the pre-set rules in the automatic mode. I just tell lots of users in my forum that the automatic mode is somehow useful and don't give up hope!
     
  12. vigen

    vigen Registered Member

    Joined:
    Mar 28, 2011
    Posts:
    60
    I think for the HIPS, a white/black list actions is the better solution..

    An action list to protect, the Host file, the windows kernel etc etc.. And an advertising when a program change start-up settings (many malware make this action).
     
  13. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    Marcos

    I use a limited right user profile on my pc with windows XP. There is no HIPS notification in that kind of user profile. I never saw one....

    Will i be notified if HIPS is alert in a limited right profile o_O?
     
  14. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    i enabled some startup items trough ccleaner and i was notified in a limited account
     
  15. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    I am surprised you can do this with no administrator rights !! o_O What version of windows do you have ?

    here with XP, I am sure I cant do that
     
  16. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    XP SP3 here i did not changed the settings in Smart Security
     
  17. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    is probably faster and safer block malware using the cloud than the HIPS
     
  18. sauvageon

    sauvageon Registered Member

    Joined:
    Dec 15, 2009
    Posts:
    3
    for what i see interractive mode are too boring (for very start up there more than 20 prompt windows that appears at every start up on my ring that really annoying) and with automatic with user rules it's always enabled (must defined the rules after)... I think that 's not the good way to do it:

    Maybe a automatic mode with just one prompt to defined the rules (after the first start of the application) so we can disable what we don't want and don't be boring after.
     
  19. Galaxykiss

    Galaxykiss Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    167
    Location:
    China
    To bring these two functions together is the best option. Using the cloud to define the HIPS's follow-on suggestion to the user.
     
  20. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    blocking a file, just by reputation from users, is unsafe as this could create false positives
     
  21. Galaxykiss

    Galaxykiss Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    167
    Location:
    China
    reputation is only show the status and help user decide. and the suggestion is to accelerate the speed of TS.net thenhelp user get the auto analysis result at avery short time andhave the result on a pop up window.
     
  22. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    auto analysiso_O :blink:
     
  23. Galaxykiss

    Galaxykiss Registered Member

    Joined:
    Mar 23, 2007
    Posts:
    167
    Location:
    China
    I believe there must be an auto analysis system to help the analyst in eset's lab. we can make use of it in the cloud, not only by reputation.
     
  24. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    unknown applications could be restricted based on a risk level

    this restriction feature must be off by default, as that may be annoying for the average user
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    HIPS pop-ups in interactive mode can be enhanced by displaying reputation info from Threatsense.net cloud.
     
Thread Status:
Not open for further replies.